Why do API's use a short term API key?
Question
Most API's I have used have an endpoint where you enter a password and get back an API key to use on the rest of the API, which lasts for an hour or something. Why is that considered more secure than just using the password for the data directly?
1 answers
solution1
0 2022-12-21 19:05:52
The main reason to have a short lived key is to minimize the damage in case the key is leaked.
One could ask - if a key is leaked, why wouldn't we just deactivate it? Often this is about the way the key is validated in the api layer.
There are two main approaches how a key is validated: a) a request receiver may ask a central authority to validate the key or b) a request receiver may validate the key locally.
The first approach (central authority) is nice - one could mark a key "inactive" right there; but the approach performs poorly under heavy load - as every api request will result in a call to the authority system.
The second approach, with local checks, is much more scalable. It is (usually) implemented by making sure the api key is an encrypted data structure and request receivers know how to decrypt it locally and run all checks (like expiration).
While the second approach scales very well, there is no reliable way to recall a problematic api key. Hence, minimizing the live time for a key minimizes the impact as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.